ipdetecto.com logo
ipdetecto.com
My IPSpeed
Knowledge Hub
HomeKnowledge HubCommands Checking Open Ports
© 2026 ipdetecto.com
support@ipdetecto.comAboutContactPrivacyTermsllms.txt
Troubleshooting
5 MIN READ
Apr 19, 2026

Commands for Checking Open Ports

List local listeners with ss and lsof, map processes to sockets, prove reachability with nc and Test-NetConnection, and contrast LAN view with an external nmap scan through NAT and firewalls.

Listeners vs exposure

A service can listen on 0.0.0.0 or :: yet still be unreachable from the internet if a cloud security group, host firewall, or carrier-grade NAT blocks it. Treat local enumeration and external port scan as two different answers to “is this port open?”

Linux and macOS

GoalCommand patternNotes
All TCP/UDP listenersss -tulpnUsers see processes; root shows all PIDs
Who owns port 443sudo lsof -iTCP:443 -sTCP:LISTENHelpful when ss output is crowded
Quick connect testnc -vz host 443TCP handshake path, not ICMP

Windows

Get-NetTCPConnection -State Listen lists listeners; pair with Get-Process -Id. Test-NetConnection host -Port 443 exercises routing and firewall from that host’s perspective.

External truth

From a bastion or home connection run nmap -Pn -p 22,80,443 public.ip (only on networks you own or have written permission to test).

Related: netstat and ss on Linux, netstat vs ss, Nmap basics, Linux firewall commands.

Frequently Asked Questions

Q.Why does ss need sudo or root for the process column?

The kernel only exposes other users’ socket PIDs to privileged callers. Without sudo you may see listeners but question marks for processes you do not own.

Q.Why does ss show a port open but nmap from the internet says filtered?

A firewall, security group, ISP CGNAT, or port forwarding gap sits between views. Always reconcile host iptables/nftables, cloud SGs, and edge NAT rules.

Q.What is the difference between LISTEN on 127.0.0.1 and 0.0.0.0?

127.0.0.1 accepts only loopback connections from the same host. 0.0.0.0 (all IPv4) or :: means the service binds wider—combine with firewall policy to judge real exposure.

Q.How do I check IPv6 listeners specifically?

Use `ss -tulpn` and look for `tcp`/`udp` lines with bracketed IPv6 addresses, or `ss -6 -tulpn`. Test reachability with `nc -6` or `curl -6`.

Q.Can I trust online “open port checker” websites?

They only see what their scanner can reach and may cache results. For production evidence prefer your own controlled external host and log the exact timestamp and source IP.

Q.Why does Docker show many LISTEN entries I did not configure?

Published container ports create host listeners via docker-proxy or iptables DNAT. Map container publish flags back to the process list to avoid chasing ghosts.

Q.Does UDP show up the same as TCP in ss?

UDP is stateless—`ss` shows bound sockets but `nc -u` probes may still fail if an application does not reply. Combine socket listing with application logs.

Q.How is this different from finding my public IP?

Public IP discovery tells you the NAT exit address; port checks tell you which TCP/UDP ports accept connections on that path. Use the companion article “commands for finding public and private IP addresses” for egress vs interface checks.
TOPICS & TAGS
ss -tulpnlsof listening portsnmap check open portsTest-NetConnectioncommands checking open ports